Information Security

Social engineering attacks

What they are and how these attacks take advantage of our natural tendencies

A social engineering attack is where an attacker changes your behaviour to do something that benefits them, through social means.

We have a natural tendency to trust people, and to help them by answering questions openly.

A social engineering attack takes advantage of this natural tendency.

How social engineering attacks work

 

What attackers are after

A social engineering attack is generally after one of two things:

  • Data
  • Physical access to a location

The way they operate is to get you to willingly hand over information or access to something they want, even if it is not in your interests to do so.

 

How attackers contact you

Recorded social engineering attacks have taken place through mail as far back as the 17th Century. There are as many ways for a social engineer to target you as there are means of communication.

Most common attacks take place over:

  • Email
  • Telephone
  • SMS Text Message
  • Social Media (Facebook, Twitter, LinkedIn)
  • Messaging Apps (Messenger, Skype, WhatsApp)
  • Forums and chat rooms
  • Dating sites
  • Face to face

 

How attackers get you to do what they want

When a social engineer asks you questions it might seem quite reasonable for you to give them information freely. They could pretend to be a figure of authority, a friend or even just somebody in need.

What they will do is appeal to your emotions in some way. Common emotional triggers they use are:

  • Fear – by acting as somebody in authority, making threats or simply by pushing that something must be done to a tight time limit.
  • Compassion – by pretending to be poor, lonely or even a family member in financial need.
  • Loneliness – dating sites and social media are rife with fake accounts and bots trying to lure in the unwary, building trust, promising romance and then using the victim.
  • Greed – Get rich quick scams, fake jobs and interviews and false lotteries and prizes are all used.

Even if what you tell them is not enough information to let them "log in as you", or take advantage directly, social engineering attackers:

  • gradually build up a picture
  • learn your weak points
  • gain your confidence
  • combine what you tell them with information they have found elsewhere.

 

How to protect yourself

Protecting yourself from social engineering is difficult as we all have emotional triggers and we all want to be helpful and friendly.

There are however, a few key things that will help make you a harder target for social engineers:

  • Be wary of unprompted contact from strangers. Cold callers, unknown contact on social media and dating sites can all be a potential first step for a social engineer.
  • If it sounds too good to be true, it may well be.
  • Be wary of unsolicited messages that aggressively push for you to take some kind of action within a tight timeframe.
  • Be aware of what you tell people, especially if it is about any kind of information that protects our security. 

If you think you are being targeted by social engineers you can contact Police Scotland for help.